Grennlight Errors after installation

[Philipp Armbruster]

What i have:

-new Ubuntu 16 VM with 8 Cores and 10 GB RAM

-VM is behind a firewall (NAT) and an extra ngnix 

- Greenlight version 2.5.2

What steps I have already taken:

$ wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh > install.sh
$ chmod +x install.sh

Removed line:

if [ "$DIG_IP" != "$IP" ]; then err "DNS lookup for $1 resolved to $DIG_IP but didn't match local $IP."; fi

added in my /etc/hosts

127.0.1.1 join.[domain].de

And than startet install.sh

After the installation is only the hint that the internal IP does not match the external IP.

Added the Admin Account. 

1. Situation:

via 127.0.0.1:5000/b can I log in and the following error occurs:

"Invalid BigBlueButton Endpoint and Secret"

So i checked the .env but this one looks good (bigbluebutton_Endpoint is also with https://join.[domain].de/bigbluebutton/)

when i open this URL they show me:

<response>
<script/>
<returncode>SUCCESS</returncode>
<version>2.0</version>
</response>

The env Check result:

Checking environment: Passed
Checking Connection: Failed
Error Connecting to BigBlueButton server - execution expired

2. Situation:

via join.[domain].de/b i can enter this and Login/register Websites but when i try to login i got:

500 Internal Server Error
If you are the administrator of this website, then please read this web applications log file and/or the web server's log file to find out what went wrong.

-------------------------------------------------

I think it has to do with the two NGINX or Ports. 

config from first Ngnix

server {

listen 80; # HTTP Port, normalerweise 80

server_name join.[domain].de; # Hier wird die Domainname des vHosts eingetragen.

return 301 https://$server_name$request_uri;

}

server {

listen 443 ssl; # HTTPS Port, normalerweise 443

server_name join.[domain].de; # Hier wird die Domainname des vHosts eingetragen.

ssl    on;

ssl_certificate    "/etc/nginx/ssl/certs/wildcard.crt"; -> the right SSL certificate 

ssl_certificate_key    "/etc/nginx/ssl/private/wildcard.key";

access_log /var/log/join.[domain].de.access_log; # Pfad- und Dateiname der Access-Logdatei

location ~* \.()$ {

index index.html index.php;

access_log off;

expires 30d;

}

location ~ /\.ht {

deny all;

}

location / {

proxy_pass http://172.16.8.21:80/; --> to second NGINX

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-for $remote_addr;

proxy_set_header Host $host;

proxy_connect_timeout 60;

proxy_send_timeout 300;

proxy_read_timeout 300;

proxy_redirect off;

proxy_set_header Connection close;

proxy_pass_header Content-Type;

proxy_pass_header Content-Disposition;

proxy_pass_header Content-Length;

client_max_body_size 256M;

}

} 

config second NGNIX

server {
  listen 80;
  listen [::]:80;
  server_name join.domain.de;

  listen 443 ssl;
  listen [::]:443 ssl;

    ssl_certificate /etc/letsencrypt/live/join.domain.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/join.domain.de/privkey.pem;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/ssl/dhp-4096.pem;

  access_log  /var/log/nginx/bigbluebutton.access.log;

   # Handle RTMPT (RTMP Tunneling).  Forwards requests
   # to Red5 on port 5080
  location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
    proxy_pass         http://127.0.0.1:5080;
    proxy_redirect     off;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

    client_max_body_size       10m;
    client_body_buffer_size    128k;

    proxy_connect_timeout      90;
    proxy_send_timeout         90;
    proxy_read_timeout         90;

    proxy_buffering            off;
    keepalive_requests         1000000000;
  }

  # Handle desktop sharing tunneling.  Forwards
  # requests to Red5 on port 5080.
  location /deskshare {
     proxy_pass         http://127.0.0.1:5080;
     proxy_redirect     default;
     proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
     client_max_body_size       10m;
     client_body_buffer_size    128k;
     proxy_connect_timeout      90;
     proxy_send_timeout         90;
     proxy_read_timeout         90;
     proxy_buffer_size          4k;
     proxy_buffers              4 32k;
     proxy_busy_buffers_size    64k;
     proxy_temp_file_write_size 64k;
     include    fastcgi_params;
  }

  # BigBlueButton landing page.
  location / {
    root   /var/www/bigbluebutton-default;
    index  index.html index.htm;
    expires 1m;
  }

  # Include specific rules for record and playback
  include /etc/bigbluebutton/nginx/*.nginx;

  #error_page  404  /404.html;

  # Redirect server error pages to the static page /50x.html
  #
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   /var/www/nginx-default;
  }
}

I hope someone can help me. Thanks in advance.

[MrKeksi]

bigbluebutton.access.log when i try to login from external:

172.16.8.10 - - [23/Mar/2020:17:47:24 +0100] "GET /b/ HTTP/1.0" 200 57134 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"

172.16.8.10 - - [23/Mar/2020:17:47:24 +0100] "GET /b/themes/primary.css HTTP/1.0" 304 0 "https://join.[domain].de/b/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"

172.16.8.10 - - [23/Mar/2020:17:47:24 +0100] "GET /favicon.ico HTTP/1.0" 200 1150 "https://join.[domain].de/b/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"

172.16.8.10 - - [23/Mar/2020:17:47:26 +0100] "GET /b/signin HTTP/1.0" 200 56913 "https://join.[domain].de/b/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"

172.16.8.10 - - [23/Mar/2020:17:47:36 +0100] "POST /b/u/login HTTP/1.0" 500 182 "https://join.[domain].de/b/signin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"

/var/log/ngnix/error.log doesnt show something.

[MrKeksi]

I found this: https://groups.google.com/d/msg/bigbluebutton-setup/PIOmkic2UNk/CNJkMrQNCQAJ

But i dont think that this can help me because Docker chain isn't empty. i dont know why this bridge connection is there (br-ca386d60dedd) 172.20.0.1 but what ever.

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (2 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.20.0.2           tcp dpt:postgresql
ACCEPT     tcp  --  anywhere             172.20.0.3           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

I'm not a step ahead yet. :(

[Ahmad Farhat]

For the 2nd situation (the 500), can you send me the output of ~/greenlight/log/production.log when the error occurs?

[MrKeksi]

Here it is:

FATAL: [8e899a72-3e61-471b-b3e4-b1b213afa950] ActionController::RoutingError (No route matches [GET] "/u/login"): 
FATAL: [2682209a-bba3-4b98-bef9-3f3809d9611e] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken): 

https://pastebin.com/WiqubKi6

Thanks for your help

[MrKeksi]

I also found this (https://github.com/bigbluebutton/greenlight/issues/1002) post. Switching to SSL in the .env caused the same error (ERR_TOO_MANY_REDIRECTS - after clearing cache and using another browser).

So we are back to the first NGINX with the same timestamp as above.

my IP - - [23/Mar/2020:17:47:24 +0100] "GET /b/ HTTP/1.1" 200 21388 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"
my IP - - [23/Mar/2020:17:47:24 +0100] "GET /b/themes/primary.css HTTP/1.1" 304 0 "https://join.(domain).de/b/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"
my IP - - [23/Mar/2020:17:47:25 +0100] "GET /favicon.ico HTTP/1.1" 200 1150 "https://join.(domain).de/b/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"
my IP - - [23/Mar/2020:17:47:26 +0100] "GET /b/signin HTTP/1.1" 200 21320 "https://join.(domain).de/b/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"
my IP - - [23/Mar/2020:17:47:36 +0100] "POST /b/u/login HTTP/1.1" 500 193 "https://join.(domain).de/b/signin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.69 Safari/537.36"

[Ahmad Farhat]

Here's your error:

> HTTP Origin header (https://join.(domain).de) didn't match request.base_url (http://join.(domain).de)

Your NGINX isnt routing properly.

Can you try adding "proxy_set_header X-Forwarded-Ssl on;" to your Greenlight nginx?

[MrKeksi]

Hey thanks a lot for your help! the second case is closed.

For those who, like me, are looking for a solution:

gedit /etc/bigbluebutton/nginx/greenlight.nginx     -> in location /b {}

sudo systemctl restart nginx

Do you happen to know what he meant by that? I think it could be my first cause.
https://github.com/bigbluebutton/greenlight/issues/710

I made another change to the firewall config and it is now working. Thank you for the help.
The docker network (192.168.1.2) wasn't an allowed source IP for HTTPS traffic.

[Ahmad Farhat]

Not sure what changes he made, as I don't have much experience with Greenlight. Your best bet is to try and debug connections between the docker container and the firewall